Jump to content


AAA Easy to understand Tutorial.


  • Please log in to reply
28 replies to this topic

#1 pappyaar

pappyaar

    Cisco Routing/EEM/TCL

  • Technical Experts
  • PipPipPipPip
  • 959 posts
  • Gender:Male

Posted 05 June 2009 - 03:13 PM

Hi all.

Even before i started my studies for CCNP, there were two topics that fascinated me alot. AAA & QoS. My exposure to IOS wasnt even of newbie level and i tried to study AAA, which resulted in frustration and failure. At that time there wasnt much
guidance, i didnt knew about the existence of forums and all so simply no one to point me in the right direction. After
getting a bits hands on IOS, i tried again and failed miserably. I wasnt getting a single word of what was happening in AAA
!!!. It was becoming a mystery as i proceeded with my studies. But the interest never lacked. What issue did i faced actually
?

1) Lack of confidence with IOS
2) No proper working examples found anywhere.
3) "Reading between the lines" aptitude of cisco docs
4) Ok !! i have configured it atlast, But what has happened ? (Verification of task configured)
5) When should i use AAA ? when i shouldnt ?
6) What is this authorization everyone talks about ?
7) Do i really need to understand this ?

And alot more confusions followed ;-)

In this long (perhaps very long) tutorial, i will try to cover the findings which are very rare to find in any books or docs.
I havent read all the books that contains AAA word in them or in their context, but i referred a few to solve some of the
confusions but all came up with 99% similar explanation and configs not helping much. To be honest i havent read a single
chapter in any book for AAA. It was all me and cisco docs in this small (yet interesting) journey of mine.

Note: This is the second topic after EEM, that i have tried to understand completely using cisco docs.

What i dont cover in this tutorial (Yet/Never) ?
Yet means i will add this in future if life/time permits.
<Never actually know when shall we loose the last of what we have>

Never means this topic will probably never be discussed in future.

1) ACS 3.3/4.x (YET)
2) Using AAA for services like PPP (Never).
3) Accounting (YET, it will be covered in detail with acs)

Who should read this tutorial.

Anyone who has taken ccna classes or done self study and have been using

Line vty 0 4
password xx
login

Enable password
enable secret.

If you just have used the above, you MUST read this tutorial :-).

How to read this ?

Well ofcourse with your eyes, but actually how to use this tutorial. If you have opened PT, simply close it and get dynamips/GNS3 running. All of our example contains IOS 12.4 and only 2 routers. So it will be easy for you to understand. You
can use one router and a PC, coz if i am not wrong PCs can be used in GNS3. I used router coz i was using dynamips.

Try out each and everything on your own, each and everything !!!. Dont take any single comment or line for granted.
You have no reason to trust me, nor anyone. Take it as a guide, compiling each and everything and presenting it here. It may
contain errors ( which i tried my level best to avoid ).

This tutorial will take you from ground up and a bit to intermediate level (cant call expert level coz experts might complain
;-) ).

Ok So in this tutorial we will be talking a lot about AA i.e. authentication and authorization. leaving accounting alone for
a while :-).

lets get started.

Note: This tutorial consists of the basics you MUST know before you move on to AAA. I havent discussed AAA yet in this part. It will be from part 3 and onwards. Do read this, if you want to make sure you know all the necassary stuff regarding access-control.

What is Authentication ?

Authentication is the process of identifying yourself to the questiong party. In our case this party is router. Router
performs authentication for 2 purposes.
1) When you are logging on to router for monitoring/configuration purposes, and this is the main point that will be discussed
here.
2) When router is providing some services for users like ppp and others. This will not be discussed from this point onwards.

You can get a lot of useless theory on AAA, its benefits, and other crap easily in any book or anywhere. We will dive into
technical details to see what is there for us, and what can we do with it.

Note: very important note. Keep in mind the context and scope of this tutorial. I am discussing authentication/authorization
when a user is logging in the router.
NOT WHEN ROUTER IS DOING IT FOR SOME OF ITS SERVICES LIKE PPP,EASY-VPN etc.

Q) Is it necassary to perform authentication ?
A) No. you can easily skip the authentication process. Remember that for local login i.e. through console port,
authentication usually never happens. But when you login in remotely through telnet/ssh, you LAND on any of the available vty
lines. These are software components to handle your remote sessions. In practial you must be telnetting to some interface IP
right ? but in actual when IOS receives any telnet/ssh request, it has to define a LINE VTY x to handle this request. Since a
seperate line is dedicated to every user, all authentication/authorization process and config parameters are dealt/configured
in line config mode only. Interfaces like ethernet/serial usually dont have any such parameters for auth/author.

Q) Ok !! hmmmm..... Can we skip authentication in Remote sessions also like console login ?
A) Yes and EASILY !!. First observe something. When you configure your router from default configuration then this is what
you see.

line con 0
line aux 0
line vty 0 4
login
!
!
end

Noticed some difference in line con0 and line vty ?
Line vty 0 4 comes with -login- command. This login command tells the router to prompt for the password in order to
authenticate the user. Remove this command under line vty 0 4 using no login and next time you telnet to this router, you
will not be asked for password !!!.
From now onwards, i will be using a simple topology. R1 and R2 connected via fas0/0.(you can use Pc in place of R2) We will
always be configuring R1 and using R2 to telnet only to verify our points. Ip of R1 is 10.0.0.1 and R2 is 10.0.0.2

Default telnet example !
R2# telnet 10.0.0.1
Trying 10.0.0.1 ... Open


Password required, but none set

[Connection to 10.0.0.1 closed by foreign host]
R2#

What just happened ?. Login command was configured by default. But no password was set, so R1 knew that there is no point of authenticating when i dont have the password configured. So we usually set password under line vty remember !. But since we want to skip authentication, simply remove the command by issuing -no login- under line vty 0 4.

After

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open

R1>

What we observed above is said to be line authentication. Because all we did was under line vty 0 4.

Q) Thats good. but what just happened ? i mean i am confused as to what is this R1> prompt ? I dont know what to ask i am
just confused !!!

A) Well, you better be. Lets talk about privilege levels in IOS. Have you heard about them ?

YES. Good
NO :-(, Well you just did ;-)

Ok what actually privilege levels have to do with this question ?.
When you telnet/ssh router, where do you expect to land ?
on line vty ofcourse but cisco didnt came up with a separate place to accomodate users, it decided that by default if a user
comes in via telnet/ssh or local console, i will put him in privilege level 1.
So lets understand the myth behind privilege levels.
IOS uses 16 privilege levels numbering from 0 - 15.

level 0 -> No-use mode, use it if you want someone to pull his hairs or want him to hit his head on wall ;-). There arent any

commands on this level to actually even see something !!!!. See below

R1#disable 0
R1>?
Exec commands:
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

R1>show running
^
% Invalid input detected at '^' marker.

R1>conf t
^
% Invalid input detected at '^' marker.

R1> WHAT THE HELL I AM SUPPOSED TO DO HERE ? WHO PUT ME HERE, TELL ME HIS NAME AND I WILL ........

This never happened to me coz there isnt much doing in privilege level 0. All you can do is frustrate :-)

Level 1 -> user exec mode. You can do some basic monitoring stuff, like some basic show commands, ping, telnet, trace etc.
BUT YOU CANT VIEW YOUR RUNNING-CONFIG/STARTUP-CONFIG AND CANT CONFIGURE ANYTHING HERE. -CONIGURE- IS NOT HERE !!!.

Level 15 -> priv exec mode (call it king mode ;-) ). In this mode you can do anything. You can view anything and configure
anything.
Basically privilege levels define, what rights does a user has in that mode. By rights i essentially mean commands that a
user can configure. As we saw, through privilege levels we can control which commands a user can execute, Thats it !!!

Q) Where did we saw this ? you are cheating !!!!!!!

A) No i am not. In privi level 1 do -?- and check what commands you have. Then go to level 15 by doing -enable- and again do

-?- and see the LARGE list of commands that werent present in privi level 1.

Q) Ok ok got it. So whats the use of other privi levels ? when do i have to use them ? WHY should i use them ?

A) Answering first -> "Why should i use them". No one said you should. Just dont if you dont feel the need. I mean if
something is out there, that doesnt make it an obligation to actually use it !!. I am using AAA and never ever felt a need to
use any privi levels other then default ones. But that surely depends on my requirements. If your requirements are such that
you may want to use privi levels then go for it. Dont worry i will take you down the path myself ;-)

Now by default we just have 3 levels. Other levels are not actually there. Some say they are not present, some say they are
not activated. This actually doesnt matter. Now carefully look below. I will try clearing the meaning of -enable- and

-disable- command

R1#sh privilege
Current privilege level is 15
R1#

Now when you enter -enable password cisco-, the exact syntax is

enable password <level (0-15)> LINE

R1(config)#enable password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) 'enable' password
level Set exec level password

As you can see, when you dont enter level, then level 15 is ASSUMED by default.

FACTS to remember.

1) When accessing via console port

1) The first level you will LAND will always be level 1 by default

2) No authentication is required for level 1 and level 15 by default i.e. if you type -enable- you can successfully move
to priv level 15

R1>enable
R1#

3) You will use disbale command to move to lower level
R1#disable
R1>

When you enter either of these commands, you have to mention the level you want to reach. If you dont define any level then
the default for
enable is 15
disable is 1

so when you enter simply -enable- it means -enable 15-
If you are in lower priv mode lets say Priv 1 and you want to go to higher level lets say 2.

R1>enable 2
% No password set
R1>

But if you are in higher priv level like 15 and want to downgrade to level 2, you dont need any password.

R1#disable 2
R1#sh privilege
Current privilege level is 2
R1#

So you must set enable password for a particular level if you want to reach it from a lower level. you can do this in priv
mode 15 like this

R1#config ter
R1(config)#enable password level 2 cisco
% Converting to a secret. Please use "enable secret" in the future.

R1(config)#end
R1#disable 1
R1>enable 2
Password:
R1#

2) When remotely accessing.

1) The level that you get will always be priv 1 by default
2) Authentication is required by default for both level 1 and level 15.

Skipping authentication for level 1 is already discussed above. Skipping authentication of level 15 will be discussed later.

Q) When !!!!!!!
A) Dont worry in this tutorial i will cover in more detail.

Ok now so far you might have not seen anything that interesting. Very basic even for a ccnp. But dont underestimate it, there
are things that might give you headaches if you start thinking over them ;-).

2nd session starting....

Q) When we access the router whether via console or line vty 0 4, you said we fall to priv level 1. Why is that so ? can we
do something to login to some other level ? like lets say can we directly go to level 15 ?

A) Ok, lets see the default config again

line con 0
line aux 0
line vty 0 4
login
!
!
end

Now turn on infra-red glasses and see whats the actual config is

line con 0
privilege level 1
line aux 0
privilege level 1
line vty 0 4
privilege level 1
login

Interesting isnt it ?. According to defaults set on IOS, it says that, whenever a user logs in via ANY line, place him in
priv level 1. This command is there by default and is not shown in running-config. If you change it to any other level, then
it will appear in running-config.
This command simply tells that, which level a user will get if he comes via console or via telnet/ssh. If you set it to level
15 then you will directly jump to level 15.

Now look at Facts to remember->2->2

"Authentication is required by default for both level 1 and level 15". Now also remember your question that can we skip
authentication to level 15 ?

Getting any ideas on how to do this ;-)

1) Change priv level to 15 by issuing -privilege level 15- command under line vty 0 4
2) Turn off line authentication using -no login-

R1 relevant config

line vty 0 4
privilege level 15
no login

R2>telnet 10.0.0.1
Trying 10.0.0.1 ... Open

R1#sh privilege
Current privilege level is 15
R1#

Ofcourse you can add authentication to this process. I have done this to answer the previous question.
1)Make sure you have given enable password ( or in actual <enable password level 15>)
2) -login- is configured under line vty 0 4 to perform line authentication.

R1 relevant config

enable password cisco
!
!
line vty 0 4
privilege level 15
login

R2>telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:
R1#sh privi
Current privilege level is 15
R1#

I hope till here its clear.

Q) What if i configure password under line vty 0 4 ? which will take preference now ?
the level specific password given through enable password command ?
or line specific password ?

A) IOS will obey what is configured under line configuration becoz there is where you are landing remotely. So consider this

R1 relevant config

enable secret cisco ( you can use enable password as well, it doesnt matter.)
!
!
line vty 0 4
privilege level 15
password cisco12345
login

R2>telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:(entered enable password "cisco")

Password:(entered line password "cisco12345")
R1#sh privilege
Current privilege level is 15
R1#

Q) So far its ok. But why actually we need other priv levels ? they are there for some purpose so what is that purpose or are
they really obsolete ? Any ideas when i should be using them ?
A) Why will you put a user in some other priv level ? the question remains..... becoz we havent explored the levels yet. this
is one step towards some tricky stuff the IOS does ;-)

Now on R1, first login to enable mode (priv 15). Now downgrade to levels 2 to level 14 and doing -?- on each level.
Remember if you are in level 2 and try moving to level 3 or any higher level (except level 15) you will be asked for

password. So for now simply go to enable mode everytime and downgrade to levels. like this

R1#disable 2
R1#sh privi
Current privilege level is 2
R1#enable
R1#sh privi
Current privilege level is 15
R1#disable 3
R1#sh privi
Current privilege level is 3
R1#

You will see that there is almost same set of commands on every privi level !!!!.

Q) So whats the use of all these priv levels ? i thought that as me move higher the more commands we will get, but it seems
that all the priv levels are same so it confuses more !!!
A) Its right that there arent much useful commands in these privi levels. Lets discuss a scenario in which you might be

needing priv levels. In this way it will make more sense.

1) you have 4 routers in your network that you manage
2) You are not using any external AAA server, like ACS or anyother.
3) A new guy has just joined, and you have appointed him in the support deptt. His job is to make sure that all the links
between these routers (by the way all these 4 routers are in different cities connected via any WAN links like fiber, DXX
etc) are working fine. Primary links as well as backup links.
4) You must not allow him priv level 15 since you dont yet trust his skills and are afraid that intentionally/unintentionally
he may committ something wrong.
5) You met with your boss and discussed the issue.
6) Your boss said that
" Ok fine, give him lower access of commands"
You said
"Ahhh.. Sir but we dont have any server to handle this"
Your boss
"So find the solution, why do you think i am paying you $xx per month ?"
You said (probably in your heart)
"Yes to give him limited access without any AAA server. YEs very nice, how the hell i am supposed to do that !!!!"
You said
"Ok sir, what access should i give him ?"
BOss said
"Do i have to tell you this ? are you managing the routers or me ? why i am paying you ........"
7) Dont panic, lets get working
lets say we agree that for monitoring purpose, the guy must be able to shut and no shut the interfaces. (which is risky from
a new guy but just do it :-) ). Allow him to view and change ip routes (again risky, ya ya i know)

Q) But how am i supposed to do this ? there arent any config commands in lower levels, you said that yourself, so it means
you were lieing !!!!
A) Nope i wasnt. But i never said i cant bring a command to a lower level ;-) did i say that ?

Q) Nope not exactly, ok so how do we do this ?
A) lets play ;-)

IOS provides us with a mechanism through which we can MOVE commands between levels. Confusing ? not anymore
If you recall i said -config- command is present in level 15 only. i can bring this command to any lower level, EVEN LEVEL 0 !!!!!.

The command to do this is -privilege- in global configuration mode.

R1(config)#privilege ?
exec
configure
interface
--More--

Note: When you will do -?- above the list is exhaustive, i have just shown these 3 familiar terms for simplicity.

Now without explanation, just look at what i am doing

R1(config)#privilege exec level 0 configure
R1(config)#end
R1#disable 0
R1>?
Exec commands:
configure Enter configuration mode
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

R1>configure ?
<cr>

R1>configure
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)>?
Configure commands:
call Configure Call parameters
default Set a command to its defaults
end Exit from configure mode
exit Exit from configure mode
help Description of the interactive help system
no Negate a command or set its defaults

R1(config)>

Now can you see that configure command is now in level 0 !!!. But you can also see there still isnt much you can do with this
command since its empty.

Now first understand a simple behaviour of IOS. If a command is present in a lower level, that command WILL BE PRESENT IN ALL HIGHER LEVELS AS WELL. but vice versa is not true.

In level 0 we had enable, disable etc commands right ? check out in priv 15 you will have all of these commands as well. But
there are many priv 15 commands that are simply not there in level 0.

Now remember the above rule. A command in lower level will be present in all higher levels that you can access.

Proof of concept

R1(config)>end
R1>en
R1#
R1#sh privi
Current privilege level is 15
R1#disable 1
R1>?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
configure Enter configuration mode
connect Open a terminal connection

See !!! configure command is now also present in level 1. It will be present in all levels above till level 15 ;-) Try logging in other levels and see for yourself.

Clear ?

Q) Ahhh...hmmmm. Why are you saying it Moving commands to lower levels ? its simply copying. You have copied the command to

lower levels, why confusing with the word MOVING ? is your english that bad ?
A) My english is very bad but still not that bad. I said it for two reasons

1) its written in cisco docs
2) ITS TRUE !!!

see using -privilege- command you simply change the default level of any command. Then the command will only exist on that level and levels above BUT NOT ON ANY LOWER LEVELS !!!.

Proof of concept !

As we know that configure command has its default level set to 15. It means by default you can access this command only and
only from priv 15.
Since our levels start from 0, so all five commands present in level 0 have their default levels set to 0. This make sense
isnt it ? commands at level 0 by default are

disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

now lets say i want to change the default level of enable command from level 0 to lets say level 1. This mean this command
will be present from level 1 and onwards but not below !!!

R1(config)#privilege exec level 1 enable
R1(config)#end
R1#disab
*Jun 4 10:33:50.599: %SYS-5-CONFIG_I: Configured from console by console
R1#disable 0
R1>?
Exec commands:
configure Enter configuration mode
disable Turn off privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

R1>

As you can see, enable command is MOVED to higher level now. I hope you understand what is meant by MOVING the commands.

Summary. If a command is MOVED from higher to lower level then its merely copying.
if a command is MOVED from lower to higher level, then indeed you have moved this command ;-)

Q) How will i know the default level of any command ? is it documented on site or somewhere ?
A) I dont think its documented. But once you play around a lot with levels then logging to different levels you will able to

figure out the default level of this command.

Q) I didnt get it... HOW ??
A) Ok. Go to privi 15. then disable to level 1. do -?- and you will see a long list of commands right ? minus this set of
commands from that of level 0 (which is just five commands) then all these commands have their default level set to 1.

See. Can you do show in level 0 by default ?

Q) No !!!!!
A) Which next level do you get this command ?

Q) In privi level 1 i can see this command !!!!!
A) That means show has the default level of 1. Privi 15 and all other higher levels inherit it from level 1 ;-)

Q) Cool !!
A) Now let me take some rest.....

Q) NO REST for you. JUST EXPLAIN MORE !!!!
A) Fine... Lets understand the syntax of -privilege- commands.

A quick review on how you play with commands in IOS

R1#
(you are in exec mode)

R1#show running-config
(you issue this command on exec mode)

R1#ping 10.0.0.2
(you issue this command on exec mode)

R1#config term
(you issue this command on exec mode)

R1(config)# ip route x.x.x.x x.x.x.x x.x.x.x
(you issue this command on config mode)

R1(config)# interface ethernet 0/0
(you issue this command on config mode)

R1(config-if)# ip address 20.0.0.1 255.0.0.0
(you issue this command on interface mode)

Now lets recall our scenario

Lets say i want this new guy (his name is Mr.A) to shut and no shut interface right ?

1) for shut and no shut, they are interface level commands.
2) for these command to execute you must also allow interface command
3) for interface command you must allow config command
4) you must also allow ip route command also.

Now which priv level to use ? well we can use any level except 15. Once you are in 15 you cant filter commands without any
AAA server.

Lets choose level 4 ( its totally random. You can select any level number of your choice from 0-14)

how many exec commands i want to allow
1) allow Mr.A to show running-config so he can verify ip route
2) allow him sh ip int brief
3) allow him configure command

How many configure level commands i want to allow
1) ip route
2) interface

How many interface level commands i want to allow
1) shut
2) no shut

now simply look how i configure it. Remember you need to practice this as well to make more sense of it.

R1(config)#privilege exec ?
all All suboption will be set to the samelevel <- (i will explain it after this example)
level Set privilege level of command <- (this will be the level where you want TO MOVE the command. This will become the
default level of the command specified after this keyword)
reset Reset privilege level of command <-(i will explain it after this example)

R1(config)#privilege exec level 4 ?
LINE Initial keywords of the command to modify

R1(config)#privilege exec level 4 show running-config
R1(config)#privilege exec level 4 show ip int brief
R1(config)#privilege exec level 4 show ip route
R1(config)#privilege exec level 4 configure

Now lets put configure mode commands.

R1(config)#privilege configure level 4 ip route
R1(config)#privilege configure level 4 interface

Now lets put interface mode commands

R1(config)#privilege interface level 4 shut
R1(config)#privilege interface level 4 no shut

Now look below for verification:

R1#disable 4
R1#sh privi
Current privilege level is 4

R1#sh ip int brief
Interface IP-Address OK? Method Status Pro
ocol
FastEthernet0/0 unassigned YES unset administratively down dow

FastEthernet0/1 unassigned YES unset administratively down dow

R1#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

R1#sh running-config
Building configuration...

Current configuration : 133 bytes
!
boot-start-marker
boot-end-marker
!
!
!
!
!
!
interface FastEthernet0/0
shutdown
!
interface FastEthernet0/1
shutdown
!
!
!
end

R1#config
R1(config)#interface fas 0/0
R1(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
no Negate a command or set its defaults
shutdown Shutdown the selected interface

Now check it on your cli. Just take the very above result. Everyone knows there are lots of command under interface mode but
here you are seeing only the ones you allowed. Ok there are some defaults like help, exit, default. But it doesnt actually
matter much.

Q) Is the running-config really that short ? or you have cut it to save space ?
A) Remember that in any privi level below 15, you will never see the whole configuration. You will only see the parameters
you can configure. Over here you are seeing interfaces because you can configure them right ? you will also see ip routes if
there are any. But in total, you will see only those items in running-config that the user in THAT mode is ALLOWED to
configure !!. You are seeing interfaces because we have allowed user in priv 4 to configure interfaces.

For your practice. Achieve the following tasks
1) Give user in priv 4 rights to configure ip address in interfaces.
2) give some default and static routes via this interface from level 4
3) Verify through running-config.


Now lets discuss the other keywords

R1(config)#privilege exec ?
all All suboption will be set to the samelevel
reset Reset privilege level of command

"all" is the wild card that you can use to allow any command that BEGINS with this keyword plus all other parameters of this

parent command.

Q) What do you mean by parent command ?
A) See, IOS follows an hirearchy similar to a tree structure with a command being at the root level, then the second

paramter(s) will be at second level and so on.

Lets take the example of "show running-config" command. Visualize it like this

--Show
|---->running-config
|---->startup-config
|---->IP
|---> route
|---> protocols
|---> INTERFACE
|---> brief

Getting any idea ?

Lets take example of "show ip int brief".
If you want to allow -brief-, you MUST allow ITS parent command which is -interface-
To allow -interface- you MUST allow ITS parent command which is -IP-
To allow -IP- you must allow ITS parent command which is -show-

Having said this. Lets look at the running config of the previous configuration we have done for priv 4.

privilege interface level 4 shutdown
privilege interface level 4 no shutdown
privilege interface level 4 no
privilege configure level 4 ip route
privilege configure level 4 interface
privilege configure all level 4 ip
privilege exec level 4 configure
privilege exec level 4 show ip route
privilege exec level 4 show ip interface brief
privilege exec level 4 show ip interface
privilege exec level 4 show ip
privilege exec level 4 show running-config
privilege exec level 4 show

Got it !!!. Recall how many commands did you entered above ? IOS will automatically allow the respective parent command of
each command YOU want to allow.
A clear example is of -ip route-. You just allowed -ip route-, but IOS automatically placed -ip- as well. Because if you dont have access to -ip- command how will you have access to -ip route- command ?

Ok now ?

Q) Yes... so what you were telling about the "all" keyword ?
A) Ok. in previous example we just allowed -ip route- but IOS automatically put -IP- as well right ?. However there are many other commands that start with -IP- but since you didnt allow them all. IOS only allowed -ip route-. Lets say you want to allow every command in configure mode that starts with -IP-.

Currently only IP route is allowed

R1(config)#ip ?
Global IP configuration subcommands:
route Establish static routes

Now
R1# (we are in level 15 now)
R1(config)#privilege configure all level 4 ip
R1(config)#end
R1#
R1#disable 4
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip ?
Global IP configuration subcommands:
access-list Named access-list
accounting-list Select hosts for which IP accounting information is
kept
accounting-threshold Sets the maximum number of accounting entries
accounting-transits Sets the maximum number of transit entries
address-pool Specify default IP address pooling mechanism
admission Network Admission Control (NAC)
alias Alias an IP address to a TCP port
arp IP ARP global configuration
as-path BGP autonomous system path filter
auth-proxy Authentication Proxy
bgp-community format for BGP community
bootp Config BOOTP services
casa configure this router to participate in casa
cef Cisco Express Forwarding
classless Follow classless routing forwarding rules
community-list Add a community list entry
ddns Configure dynamic DNS
default-gateway Specify default gateway (if not routing IP)
default-network Flags networks as candidates for default routes
device Device tracking
--More--

Is it clear now ?

Now about the reset keyword. If you want to negate any configuration command, most of the time you simply add -no- in front of it. -privilege- command doesnt work this way. Try it and see for yourself. We will use reset to negate the previous command

R1#(we in level 15 now)
R1(config)#privilege configure reset ?
LINE Initial keywords of the command to modify

R1(config)#privilege configure reset ip
R1(config)#end
R1#dis
*Mar 1 00:53:44.715: %SYS-5-CONFIG_I: Configured from console by console
R1#disable 4
R1#conf
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip ?
% Unrecognized command

OOPs. We disallowed -IP-, the parent command, so automatically any command part of it is also denied. so you need to
reconfigure -ip route- as we did before. Do it yourself for the sake of practice.

Q) Ahh. Ok, i got it. But How is Mr.A will gonna get this level when he logs on ?.
A) Like i told you above. Change the privilege level under line vty 0 4 to "4"

Q) But this will put even me in level 4 ?
A) Have you given a secure enable 15 password ?

Q) Yes i have...
A) So login in to privi 4. From there type -enable-, IOS will ask for enable 15 password now, enter it and you are in 15 now.

Q) hmmm. its ok but i didnt had this in mind.
A) What you had in mind ?

Q) Something more technical and decent. This is just a workaround.
A) Ok fine. Buy a AAA server then....

Q) I cant !!!!
A) Ok fine. Lets look at the other aspect of how Auth/author works. But that will take place in second session.

Q) This was the second session !!!
A) Fine fine, i mean 3rd session.

Edited by rainbow9810, 22 July 2009 - 08:46 PM.

  • 2

#2 kIdMaN

kIdMaN

    Super Member

  • Members
  • PipPipPipPip
  • 642 posts
  • Gender:Male
  • Location:The M oo N

Posted 06 June 2009 - 03:54 PM

Terrific, thank you pappyaar
  • 0

#3 techadmin

techadmin

    Advanced Member

  • Members
  • PipPipPip
  • 367 posts

Posted 07 June 2009 - 12:04 AM

pappyaar..................this is MAGICYAAR!!!
  • 0

#4 thead

thead

    Advanced Member

  • Members
  • PipPipPip
  • 187 posts
  • Gender:Male
  • Location:Cetral Europe

Posted 07 June 2009 - 08:29 PM

I just finished reading, and i must admit your writing style is really cool, it kept me entertaint all the time, keep the good work smile.gif ,I have one question how are related privileged levels and views in the real world?
  • 0

#5 pappyaar

pappyaar

    Cisco Routing/EEM/TCL

  • Technical Experts
  • PipPipPipPip
  • 959 posts
  • Gender:Male

Posted 08 June 2009 - 03:17 PM

QUOTE (thead @ Jun 7 2009, 08:29 PM) <{POST_SNAPBACK}>
I just finished reading, and i must admit your writing style is really cool, it kept me entertaint all the time, keep the good work smile.gif ,I have one question how are related privileged levels and views in the real world?



Dear Thead, thanks for nice comments :-). I will try my level best that future tutorials are more entertaining and worth reading.

Now regarding your question, i am assuming that you have atleast configured both of them once.

Both of them are used to provide restricted access to users. Having said this, the restriction process is somewhat cumbersome in case of privilege levels. Every privilege level consists a default set of commands. Now lets say you want to give a user very restricted access so that he can do only the following commands

1) show ip int brief
2) show interfaces
3) show version
4) sh ip route

Now before views were there, i could simply do this in 2 ways
1) assign user to level 0 and with privilege commands assign above 4 commands to user. This is perhaps the best way.
2) Assign user to some other level, use a long list of privilege commands to remove all other commands then add the above 4 commands.

Now remember, without AAA server, this had to be done and was done in past. Views have some advantage over privilege becoz each view starts empty !!. There are usually 2 or 3 default commands like enable , exit, show. Now you can fill this view by adding commands to this view through view config mode.
This gives rather more control to administrator in assigning rights (which commands to execute) to users.

Which shall you use if it comes to restrict users access ?
Views are bit advance in the sense that they give you easy configuration as to which command you want to add and which to exclude. But to be honest i didnt find the difference to be very appealing. I mean i can almost achieve the same level without using views as well.

Keep in mind all the above discussion was for cli based views and not lawful intercept views.

  • 0

#6 thead

thead

    Advanced Member

  • Members
  • PipPipPip
  • 187 posts
  • Gender:Male
  • Location:Cetral Europe

Posted 08 June 2009 - 07:29 PM

Thank you for explanation it's much clear now wink.gif
  • 0

#7 pappyaar

pappyaar

    Cisco Routing/EEM/TCL

  • Technical Experts
  • PipPipPipPip
  • 959 posts
  • Gender:Male

Posted 22 July 2009 - 06:28 PM

Due to some issues, this part took longer then it was supposed to. I would highly recommend just reviewing the previous part for a refresher. If it benefits anyone, just even a bit, then dont forget me in your prayers. Do provide me with your feedback and feel free to ask anything but make sure that this tutorial does clear your concepts, because if it doesnt then all my effort will be in vain.

Enjoy.....

Ok. 2nd session is starting now....


Q) ITS 3rd session !!!!!
A) Yes fine 3rd session. So how was your practice, did you get everything last time we discussed. I am sure you must have
done a LOT of practice isnt it..

Q) Yes, understood everything, but didnt had time to practice.
A) Why not ?

Q) Parties to attend, watching tv, etc after all we all have our social lifes !!
A) Yeah, ..... right.

So lets get started. Any question

Q) Yes. Last time we limited Mr.A access but it wasnt very technical or something that seems ok. I have seen ppl login with
some different style !! i just dont know what to ask but hope you understand ...
A) Yes i understand. Today we will move 1 step closer to actuall AAA. First lets summarize what we did last time

1) How to skip authentication for both level 1 and level 15
2) What are priv levels
3) How to move between those levels
4) How to MOVE commands between these levels
5) What is the difference between MOVING a command from lower to higher and vice versa
6) Moving commands with -privilege- command

to name just a little what we discussed perviously.
So we did achieve our objective of limiting Mr.A's access but not in the most appropriate way.
So today lets start AAA without using AAA.

Q) What ? AAA without AAA. This is confusing !
A) Yes. Focus on what i am explaining below and it will clear everything.

There are scenarios when there are multiple users with varying level of access. Your manager and probably you too would be
having full complete access to your router. i.e. level 15. But this may not be true for junior or newcoming stuff or
internees. (do you give access to internees at all ?)

If everyone is treated the same, then perhaps there is no need for access-control mechanisms. But if ppl require different
level of access then the method discussed previously and those discussed today and in future should be taken into
consideration.

Q) 1 more confusion. What do you mean by level of access ?
A) level of access essentially means 2 things

1) What the user can see ? (this includes various show commands, debug can also be there but i doubt you will ever grant this
command to anybody in lower levels)
2) What the user can do ? (any command that performs some action. Like configuration command.. ip route, access-list,
changing ip addresses etc or perform some monitoring actions like ping, trace etc)

Q) Ok its clear.
A) Ok our further discussion require a scenario to be followed.

Suppose, 1 week after Mr.A joined, Mr.B and Mr.C joined as well.
So you again went to your Boss.

You "Sir, we have two more joinings"

Boss "You think i dont know that ?"

You "No actually i mean to say, what about their access to routers ?"

Boss "You are again asking me this ? why you think i am paying you......"

Rest is i am sure you know well ;-)

Mr.A will be having the same requirements. Mr.B have these requirements

1) In addition to Mr. A's access, he should also be allowed to configure network advertisement in ospf, access-list
configuration.
We will give him level 6 (its totally random, give him any level above 4 which is Mr.A's and below 15)

Mr. C requirements are as follows
1) In addition to Mr.B and Mr.A's access, he should also be allowed to apply access-list on interfaces, plus he should also
be able to configure route-maps for policy based routing.

We will give him level 8 (its totally random, give him any level above 6 which is Mr.B's and below 15)

Shall we proceed ?

Q) Route-maps for PBR only ? you didnt mention if he can apply them globally/on interfaces or not ?
A) Nope, he shouldnt be allowed to apply them. PBR can surely cause a lot of havoc if not given proper thought. It should be
you who will be applying it globally or on interfaces.

Q) But you allowed Mr.B to apply access-list, isnt that risky and worth giving thought ? what you ate in breakfast.
A) Please, this is just an example !!!!

Q) Oh ok. Pls continue.
A) Yeah right

Now, if we just followed the previous method, what shall be the first step ?
1) To deal with login process.

Ok. AS you can know, under line vty we can only put one default priv level for anyone landing on these lines.

Which level that might be ?

Q) hmmm, level 8. i am intelligent right ?
A) More then i imagined.

if i give level 8, Mr.C will login but others will have access to that level isnt it ?

Q) So we will put -login- command under line vty 0 4, and for only allowing Mr.C we will give password there and tell this
password only to Mr.C. SO SIMPLE !!
A) Not bad. What about Mr.A and Mr.B access, when they will access the router, they will be prompted for the password for
level 8 as you said, they dont know this password so they will not be authenticated, in other words they are blocked for
eternity !!!

Q) Ohh, i didnt think of that so which level it should be ? i am confused
A) Give the lowest level. You can start with default 1 if you like, or level 4 like previously set. When
Mr.A telnets the router, he is prompted for password of level 4. he enters it and accesses level 4
Mr.B comes, he is also prompted for password of level 4, he enters it, accesses level 4. Now to go to his own level he must
do this

C:\> telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password: (cisco)
R1#sh privilege
Current privilege level is 4
R1#enable 6
% No password set
R1#

OOPs we didnt configure that. So you have to set passwords for both enable 6 and enable 8.
Mr.C will follow the same procedure, after entering level 4. He will enter -enable 8- to take his level.
In priv 15 dont forget to assign them their respective commands to configure using -privilege- command
But this merely achieves the objective. It is not professional doesnt look good to adopt this way.
So in access-control mechanism, how we differentiate one from another.

This is where comes Authentication

Authentication is the process of asking you something that only you know and no one else does. What we saw previously was
also no doubt authentication but 4 ppl knew the same password. There is no way for IOS to distinguish Mr.A from Mr.B right ?
So we need something that can tell the IOS that this is MR.A coming, this is MR.B coming and so on

We do this by introduction of "username" in the authentication process.

"username" as can be seen is the name of the user. Simple !. Mr.A will have its own username, Mr.B will have its own. This
will help IOS know that which user has logged in,

Q) What benefit does this gives ? how to introduce username in authentication process ?
A) Benefit will become clear in my example. First how to introduce username.

Username is introduced by invoking IOS local user database.

Q) OHH, do i have to learn oracle or sql for that ? i am very weak in database ?
A) I can guess that. No you dont need to have any database knowledge for that.
You invoke Local user database by creating an entry. Database is automatically created. Database is nothing but just the
entries you provide :-)

For example

R1(config)#username Mr.A password Mr-A-cisco123

Simple !!

Lets take a closer look at the syntax of this command

R1(config)#username Mr.A ?
aaa AAA directive
access-class Restrict access by access-class
autocommand Automatically issue a command after the user logs in
callback-dialstring Callback dialstring
callback-line Associate a specific line with this callback
callback-rotary Associate a rotary group with this callback
dnis Do not require password when obtained via DNIS
nocallback-verify Do not require authentication after callback
noescape Prevent the user from using an escape character
nohangup Do not disconnect after an automatic command
nopassword No password is required for the user to log in
one-time Specify that the username/password is valid for only one
time
password Specify the password for the user
privilege Set user privilege level
secret Specify the secret for the user
user-maxlinks Limit the user's number of inbound links
view Set view name
<cr>

We may not discuss all the parameters, but we will discuss few of them along the way. Important ones are

autocommand
nopassword
one-time
password
secret
privilege
view

Q) Why not others ?
A) They are related to services, and i told in start i wont be discussing services !

Q) Then why not user-maxlinks. It seems interesting !
A) Yes it seems but its not. This command is used to limit PPP or dialup user to open multi connections with the router. At

first i also thought we can use this to prevent a user from opening multi telnet/ssh session with the router but my

assumption was wrong. Its only used for PPP and dialup services.

Ok now above, we created a simple username with password. But this will not activate "username" prompt as long as you dont

instruct the router to use it !!. For this to happen, under line vty 0 4 you must issue -login local- command.
-login local- login for authentication and local to use local database. This will now ask for username in addition to

password. Lets try it

R1 relevant config


username Mr.A password cisco123
!
!

line con 0
line aux 0
line vty 0 4
privilege level 4
password cisco
login local

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: mr.a
Password:
R1>

Ok now certain points to consider.
1) username is not case sensitive. But password is !!!!
2) after -login local-, IOS is no more using line specific parameters. It neither accepted password cisco nor did it assigned
level 4 to the coming user. It simply ignored the line specific parameters as long as you ask IOS to consult local database.

Q) But why IOS assigned level 1 to user. Can i change it ?
A) Yes. Like i said in previous tutorial, IOS puts the user by default in level 1 if no other level is explicitly defined.
Now how to define level 4 for Mr.A. Look at the above list, you can see the privilege keyword ;-)

Here is the respective configuration done on R1.

R1#sh privilege
Current privilege level is 15
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#user
R1(config)#username mr.a pri
R1(config)#username mr.a privilege 4
R1(config)#end
R1#

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: mr.a
Password:
R1#sh privi
Current privilege level is 4
R1#

Now as you can see. Even when accessing the same username, you can use mr.a instead of Mr.A. So its not at all case sensitive :-).

Q) hmm. Is it possible to avoid password in this new type of authentication ? what if i just want to authenticate on the
basis of username and not password ?
A) Yes you can do this using 2 ways

1) Simply dont give the password ;-)

R1(config)#no username mr.a
R1(config)#username mr.a privilege 4
R1(config)#username mr.b privilege 6
R1(config)#end
R1# sh run | in username

username mr.a privilege 4
username mr.b privilege 6
R1#

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: mr.a
Password: (just press enter here since password is not given)
R1#sh privi
Current privilege level is 4
R1# exit

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: mr.b
Password:
R1#sh privi
Current privilege level is 6
R1#

2) Other method is to use nopassword keyword, which is quite the same. below is the config

R1(config)#username Mr.A privilege 4 nopassword

Ok is it clear now how to skip password authentication ?

Q) Yes !
A) Now there is one more feature called one-time password. Now this is tricky, although it doesnt seem to be, but it is.
Now just look at what i am doing. First i am deleting the previous username just for simplicity, you can keep it if you want
but just delete mr.a since we are modifiying it for one-time password.

R1(config)#no username mr.a
R1(config)#no username mr.b
R1(config)#username Mr.A privilege 4 one-time pas
R1(config)#username Mr.A privilege 4 one-time password ?
0 Specifies an UNENCRYPTED password will follow
7 Specifies a HIDDEN password will follow
LINE The UNENCRYPTED (cleartext) user password

R1(config)#username Mr.A privilege 4 one-time password cisco123
R1(config)#
R1(config)#
R1(config)#
R1(config)#end
R1#sh run | in username
username Mr.A privilege 4 one-time password 0 cisco123

ok ?

Now on R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: mr.a
Password:
R1#sh privi
Current privilege level is 4
R1#

Now back on R1

R1#sh run | in username
R1#

See !!. Due to one-time keyword, this username/password combination is used for one time only, after its used, it will be
deleted from RUNNING-CONFIG ONLY. So previously after configuring username, if you have save it to nvram, it will again
appear in running-config after you reload the router. So if your intention is to really use it for one-time then after the
user has logged in for one time, save the configuration now and you will be ok.

So which commands are left now !

Q) autocommand, view, secret.
A) Secret is same as enable secret. This time the password is given in Md5 hash. Check it out yourself :-).
View is a bit advance topic which i will discuss later. Not in this part

So lets talk about autocommand. This command executes any command you like when the user logs in. After executing the command the user logs out automatically. For example if you want a user to just look at the interface status and do nothing else then this could be one way of doing it.

Just look below

R1(config)#username new-comer autocommand ?
LINE Command to be automatically issued after the user logs in

R1(config)#username new-comer autocommand sh ip int brief
R1(config)#end
R1#

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: new-comer
Password: ( just press enter here since i have not given password)
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 10.0.0.1 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down

[Connection to 10.0.0.1 closed by foreign host]

AS you can see that connection was closed after showing the result of "sh ip int brief"

There is one more keyword -nohangup-. This keyword after executing the "autocommand" will again ask for username/password instead of closing the connection.

R1(config)#username new-comer nohangup
R1(config)#end
R1#

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: new-comer
Password:
Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 10.0.0.1 YES manual up up

FastEthernet0/1 unassigned YES unset administratively down down


User Access Verification

Username:

So far is it ok ?

Q) Yes.. so i want to assign each user its specific set of commands, i have to again use -privilege- commands like before ?
A) Yes 100% same way. You just have experience new way of authenticating. Commands usage will be same as before.

So far what we have seen was Non-AAA local authentication and perhaps authorization.

Q) Where did we see authorization ? you are cheating !!!!!
A) Authorization means what a user can do and what he cant do. So through the usage of
-autocommand-
-privilege- commands we are restricting the users to issue only certain commands of our choice. So in other words we were
controlling what a user can do in his level right ? SO THIS IS CALLED LOCAL AUTHORIZATION. WE ARE CALLING IT LOCAL
AUTHORIZATION BECAUSE WE HAVE USED IOS SPECIFIC COMMANS TO RESTRICT THE USER'S ACCESS. IF WE USE REMOTE AAA SERVER THEN THAT WILL BE CALLED REMOTE AUTHORIZATION.

Q) ok got it. So whats now ? are we EVER going to play with AAA or not ?
A) Yes you will and perhaps today... NOW !!!

You have got all the basic background of local authentication and authorization. Still if you have any questions regarding
anything thing i have discussed, just highlight it and let me know.
Now the main part starts.
How to use AAA in cisco IOS.
In this part i will be discussing essentially only authentication and authorization. Accounting will be discussed when i will
explain ACS 3.3 or 4.x. again if life permits.
Note:From here onwards i will be discussing only local authentication/authorization.
At this point, i was thinking, do i really need to ADD AAA to my configuration when i can do all the stuff without needing
AAA ? What local AAA really provides me ?

To be honest, local AAA provides nothing !!!. If i am not using an AAA server, then you are fine without even thinking about

AAA at all ;-).

Now i am quite sure that experts can simply jump in and can call me ....., ....., ...... (fill in the blanks ;-)). But

REMEMBER THE CONTEXT I AM TALKING ABOUT. WE ARE TALKING ABOUT AAA FOR AUTHENTICAION AND AUTHORIZATION OF USER LOGIN ONLY.

Ofcourse local AAA can play an important role when it comes for services like easy-vpn, dot1x and all. but since we are not
discussing them, so i can safely live with the comment i gave above ;-)
AAA commands in IOS are configured in global mode. There are some line configuration commands for aaa also but main
configuration is done from global config mode. By default aaa is disabled. if you do show running-config, you shall see
-no aaa new-model-

Q) Why its called new-model ? are there any other models as well ?
A) Was this another attempt to prove your intelligence ?

Q) No... just asking
A) You can take it more of a syntax. This command enables AAA. Without this all AAA commands are hidden/non-acitvated. You cant configure any aaa commands if you have not issued -aaa new-model-.
So to enable AAA, just enter this on router global config mode

aaa new-model

R1(config)#aaa ?
new-model Enable NEW access control commands and functions.(Disables OLD
commands.)

R1(config)#aaa new-model
R1(config)#aaa ?
accounting Accounting configurations parameters.
attribute AAA attribute definitions
authentication Authentication configurations parameters.
authorization Authorization configurations parameters.
cache AAA cache definitions
configuration Authorization configuration parameters.
dnis Associate certain AAA parameters to a specific DNIS number
group AAA group definitions
local AAA Local method options
max-sessions Adjust initial hash size for estimated max sessions
memory AAA memory parameters
nas NAS specific configuration
new-model Enable NEW access control commands and functions.(Disables
OLD commands.)
pod POD processing
route Static route downloading
session-id AAA Session ID
session-mib AAA session MIB options
traceback Traceback recording
user AAA user definitions

R1(config)#aaa

First we will play with authentication. Trust me, in most books and docs, you will find bits n pieces spread around. When you
will experience something ODD in aaa, you can simply hit your head on wall because i doubt any book will help you on this.
this is the most important part so read it very carefully from here.

There are 3 main keywords after -aaa-
1) Authentication
2) Authorization
3) Accounting

Lets explore Authentication.

Authentication using AAA:

What authentication achieves is same we did before. Using AAA authentication, router will prompt you for username/password
combination for the mode/service user wants to access and verify it according to methods listed afterwards. Its a bit
confusing so lets check the syntax

R1(config)#aaa authentication ?
arap Set authentication lists for arap.
attempts Set the maximum number of authentication attempts
banner Message to use when starting login/authentication.
dot1x Set authentication lists for IEEE 802.1x.
enable Set authentication list for enable.
eou Set authentication lists for EAPoUDP
fail-message Message to use for failed login/authentication.
login Set authentication lists for logins.
password-prompt Text to use when prompting for a password
ppp Set authentication lists for ppp.
sgbp Set authentication lists for sgbp.
username-prompt Text to use when prompting for a username

When you will be requiring authentication ?

Ok now, this question is important. Ideally you require two step authentication.
1) when you login to router. You normally would land on privilege 1. This approach is followed widely.
2) When you try to access privilege level 15. also called enable mode.

Now to keep record straight, you can have 1 step login, by allowing yourself to jump directly to level 15. Or land yourself
by default to level 4(its just random) and from there move to level 15. So in practical, play anyway you like. But to follow
the general and recommended approach we will follow 2-step authentication as defined above.

Lets consider the first step when you try to login to router via
1) Console port
2) Telnet/SSH

And by default land at priv level 1.

Using AAA authentication for this step, since its the "login" step, we will use the keyword -login-, simple !!!

R1(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.

What you are seeing above is called name of method-list. So what is method-list ?

There are 3 ways you can perform authentication.
1) Using line passwords that you configure under lines. like this
line vty 0 4
password cisco

2) Using local database ( using username entries we created above ). Like this
R1(config)#username admin password cisco

3) Using remote AAA server (either running radius or tacacs)

Now what will happen if we have configured all of them on router at the same time. Like this

R1#sh running-config

(output ommitted for simplicity)

username Mr.A password Cisco123
!
!
Line vty 0 4
password cisco
!
!
!
"Configuration for remote server"
....
....
....
!
!

So now, when the user telnets, which password shall it use ?

Line password ?
username password ?
external server ?

So which one you will use first ? external server or local database or line password ? to define this sequence we use

method-lists, SIMPLE !!!
Why its called method-list then ? basically we can re-write the above statements like this

There are 3 METHODS you can use to perform authentication.
1) Using line passwords that you configure under lines. like this
line vty 0 4
password cisco

2) Using local database ( using username entries we created above ). Like this
R1(config)#username admin password cisco

3) Using remote AAA server (either running radius or tacacs)
So method list simply define the sequence in which either external or local databases are checked.

Ok now. did you understand the meaning of method-lists ?

Q) Yes. But you said, they define the sequence so what does this means ? what does this sequence implies ?
A) See. Lets say, i configure a method-list like this
1) Consult AAA server
2) Consult local database

Over here i have defined a sequence. 1st AAA server will be asked to perform authentication. If we dont get ANY ANSWER FROM

AAA server, ONLY then the next method which is in our case local database is consulted to perform authentication.

Q) What you mean by dont get any answer from AAA server ? what does this means ?
A) Over here, i am assuming you already know something about Radius and Tacacs protocol. When IOS needs to talk to AAA server like ACS 3.3, it needs some language/protocol to send and recieve information. This language/protocol will be either Radius or tacacs. Tacacs is cisco proprietry. Lets assume i have decided to use tacacs protocol and i have configured ACS 3.3 as well to use tacacs protocol. Then what will happen when a user tries to login
1) Router will ask for username/password
2) user enters it
3) Router will send both these username/password to AAA server using tacacs protocol as defined in our configuration.
Now either of the below 3 situations can happen
a) If AAA server (ACS 3.3) has an entry for this username/password, it will return "PASS" to Router, allowing him to
sucessfully authenticate the user.
cool.gif If AAA server (ACS3.3) doesnt have this username/password, it will return "FAIL" to router, restricting him NOT to
authenticate the user.
c) NO response is received from AAA server in a predefined time. This can happen due to
1) AAA server is down.
2) AAA server having some issue and is not able to reply to router query (again some hardware of software issue)
3) Router's WAN link to AAA is having some issue. in this case AAA might be up but since router is not able to reach it
due to link issues.
So if router is not able to talk to AAA for certain amount of time, it will consider this an "ERROR". ONLY IF THIS ERROR
OCCURS, ONLY AND ONLY THEN ROUTER WILL MOVE TO NEXT METHOD, LIKE IN OUR CASE IT WILL CONSULT ITS LOCAL DATABASE TO LOOK FOR THIS USERNAME/PASSWORD ENTRY, SINCE AAA IS NO LONGER RESPONDING.

Q) What if i receive "FAIL" ? whats the difference b/w FAIL and ERROR ?
A) FAIL means router RECEIVED response from ACS which is telling router NOT TO AUTHENTICATE. ERROR means router DIDNT GET ANY RESPONSE FROM ACS so now it must look for the next method of authentication in the list, which in our example is local database.

Q) The next method always have to be local database ?
A) NO you can simply use any sequence you like. There is no restriction in this. you could have used line password instead.

Q) But you didnt use line password even as the third method ?? Why ? are there only 2 methods allowed at a time ?
A) Now i must say you are indeed intelligent. yes i used local database for a purpose. If i have to classify methods (line,
local, external) as to which is more secure then other then i would say
1) line password is least secure
2) Local database is more secure
3) external database is more secure then either.

Q) How have you classified them ?
A) Suppose you are just using line password for authentication. You have 5 users each has access to different privi levels.
Then you already know i can have only 1 line password at a time. So i have to give this password to all of them to login to
first intial level and then move on to their respective level.
In case of username/password, only the administrator and the user knows about this password combination. Suppose you created
Mr.B username and Mr.C username. Who will be knowing Mr.B username besides him ? only you but not MR.C as long as MR.B doesnt tell MR.C about his password. But its still not that secure since anyone who gets his hand on running-config/startup-config can easily look at the passwords.

Q) Nope not at all, you are wrong !! see i get you. If i am using -secret- keyword afer username and not -password- then my
password will be save as Md5 hash. Now no one can know what is my real password isnt it ?
A) Yes you got me there. You are 100% right. But who will be seeing this username/password combination, will surely have
access to configure it as well dont he ?

Q) what do you mean ?
A) In previous tutorial i said, in any priv level if you are granted access to show running-config, you will only see those
parameters that you are ALLOWED to configure, so if any one is doing show running-config and he happens to see
username/password line in the result then it means that he can also configure it right ? so he simply will change the
password, use that username to enter the router, do malicious activity and leave safely. So that is one of the reason i am
saying that local database is secure but not as secure as external database.

Q) ok now i got it. now back to method lists. if i define the sequence, DOES IT HAS to be same for all the lines ? like for
console, aux, vty shall follow the same method sequence or it can be different for each of them ?
A) Yes it can be different for each of them.

Q) Can the sequence be different for each vty lines as well ?
A) Yes sure, the sequence can be different for each vty lines as well :-).

Q) How to do this ?
A) Let me continue then....

Q) I didnt stopped you, why are you saying like this ?
A) OK OK, i got it.

So far i am quite sure the use of method lists is clear. it will become more clear as we proceed further. now lets look at
the syntax again
R1(config)#aaa authentication login ?
WORD Named authentication list (max 31 characters, longer will be
rejected).
default The default authentication list.

R1(config)#aaa authentication login

Remember, like access-lists, route-maps, these method lists also must be applied to LINES as well. Now you have 2 options
here. To use default or define your own name. So whats the difference in these two ?
1) Default method list is automatically applied to all lines. !!! Just define this method list and it will be applied to all
lines. It saves you extra config if you want ALL YOUR LINES TO USE THE SAME LIST OF METHODS.
2) If lets say you want different method list (sequence of method) for lets say line con 0 and line vty 0 4 like below
a) Use only line password for line console 0
cool.gif Use external database and in case of ERROR use local database for vty lines.

So first lets make a method list for line con 0
R1(config)#aaa authentication login for-console line

Now apply this method list inside line con 0 like this
R1(config)#aaa authentication login for-console line
R1(config)#line con 0
R1(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

R1(config-line)#login authentication for-console
R1(config-line)#

Now for line vty 0 4
R1(config)#aaa authentication login for-vty grou
R1(config)#aaa authentication login for-vty group ?
WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

R1(config)#aaa authentication login for-vty group tac
R1(config)#aaa authentication login for-vty group tacacs+ ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>

R1(config)#aaa authentication login for-vty group tacacs+ lo
R1(config)#aaa authentication login for-vty group tacacs+ local
R1(config)#line vty 0 4
R1(config-line)#login authentication for-vty
R1(config-line)#

Task completed !!!. This is just to give you a small snippet of how things are done. What is this -line-, -group-, -tacacs-
keyword lets see now

R1(config)#aaa authentication login for-vty ?
enable Use enable password for authentication.
group Use Server-group
krb5 Use Kerberos 5 authentication.
krb5-telnet Allow logins only if already authenticated via Kerberos V
Telnet.
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
passwd-expiry enable the login list to provide password aging support

Now see here,

-Line- if you set this as method, router will prompt for line password. Make sure you have configured line password under
line con 0 or else you will be blocked, since you didnt defined any other method in case of error from the previous method
!!!
-local- if you set this as method, router will prompt for username/password. If the entry is not present then this will
always result in FAIL and not error because there is no communication error, the username is simply not present !!!. If you
dont define any username, then YOU ARE BLOCKED, SINCE ROUTER HAS NO REASON TO FALL TO OTHER METHOD, BECAUSE IT CANT GET ERROR FROM THIS LOCAL DATABASE REMEMBER !!!!! FROM LOCAL DATABASE EITHER IT WILL BE PASS OR FAIL. NO ERROR NOTHING ELSE !!!
-group- This defines the external AAA server like ACS 3.3. Now if you want to use tacacs protocol to communicate with ACS,
then after making necassary configuration on ACS and IOS, you choose tacacs after -group- keyword. like this

R1(config)#aaa authentication login for-vty group ?
WORD Server-group name
radius Use list of all Radius hosts.
tacacs+ Use list of all Tacacs+ hosts.

R1(config)#aaa authentication login for-vty group tacacs+ ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
local Use local username authentication.
local-case Use case-sensitive local username authentication.
none NO authentication.
<cr>

Now our next fall-on method should be local database in case of ERROR from remote server. So it will be

R1(config)#aaa authentication login for-vty group tacacs+ local ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
none NO authentication.
<cr>

But since i dont want to configure any other method i will simply end it here.

Now so far it was just like creating access-lists. As you know access-list by themselves dont do anything. You need to apply
them on interfaces/lines to perform your desired filtering right ? Same is the case here. You will need to APPLY these method
lists only on LINES (remember not interfaces) for them to take affect.

Following is the complete relevant configuration

R1#sh running-config

!
aaa new-model
!
!
aaa authentication login for-console line
aaa authentication login for-vty group tacacs+ local
!
aaa session-id common

line con 0
logging synchronous
password cisco
login authentication for-console
line aux 0
line vty 0 4
login authentication for-vty

Now whenever a user comes via console port he/she will only need to know line password. Remember if for some reason you are not able to telnet/ssh the router and have to resort back to console, but either you forgot the password or didnt configured

it at all, then your are blocked. In that case you need to carry out the password recovery procedure...

Any question ?

Q) Yes, in the last snippet when you did "?" among others there is also -enable- there !!. What is -enable- doing here ? i

though enable means accessing levels not logging in the router. I am really confused !
A) A very nice catch. See IOS also provides you the facility that you can use enable password to LOGIN AS WELL. Now remember, this is just a feature, it doesnt makes an obligation to use it as well in real life :-). But for understanding lets see how it works.

R1(config)#aaa authentication login for-vty enable
R1(config)#enable password cisco

Now as you can see that i am using only one method here to authenticate i.e. -enable-. (Remember i have already applied this
method-list above)

Now when from R2 i telnet to R1

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:(cisco)

R1>enable
Password:(cisco)
R1#

I hope this is clear so far.

Q) When i used enable password, which level i was put in when i logged in ?
A) You logged in to default level of 1. You can change it like we did before. Try it yourself ?

Q) Cant you show it !!!!!!
A) NOOOOOOOO !

Q) But why ? why i am taking the class for ?
A) Yeah ...... right !

Q) Ok fine.. I have one more confusion. When i wanted to use remote server, i just mentioned the protocol like tacacs,
nothing else, is it sufficient for router to talk to remote server ? i mean we havent gave the IP of tacacs server and
nothing so how was router able to talk to AAA server. I think it will always return ERROR. !!
A) There you go. Nice catch again. I didnt show AAA server configuration for simplicity purpose. But you are right, if that
is my SOLE CONFIG then router will always get ERROR for every query since we havent defined the IP of tacacs/radius server.
Below is the required configuration for lets say tacacs server (ACS 3.3 but using Tacacs protocol to authenticate/authorize
users)

tacacs-server host 10.1.10.109 key cisco321

If you do "?" after tacacs-server you will see other options but this is the minimum requirement to configure it properly.
I havent described the usage of -local-case- command, this is quite self explanatory, try it out yourself !

Q) AGAIN !!!
A) This is not a spoon feeding class, may i remind you !!

Q) But so far you have done nothing but spoon feeding !!!!
A) Ahhhh, so is it good or bad ?

Q) I dont know
A) Yeah ..... right !

Now so far we have seen authenticating users when they try to login to router via console or telnet/ssh. We can also perform
authentication when users tries to MOVE UP to certain higher level. For simplicity i will keep it to level 15.

Q) Is it necassary that i have to do authentication for level 15 through AAA ?
A) No. You can use local enable password like you did before. But if you are using remote server then its better to use
remote authentication for level 15 also. But again its not mandatory.

Q) If i am not using remote server at all then ?
A) Then see below...

R1(config)#aaa authentication enable ?
default The default authentication list.

R1(config)#aaa authentication enable

As you can see, there is no option to define your own method list !!!. Why ? Because

1) We can only apply method-lists on lines
2) Lines are used ONLY AND ONLY FOR LOGIN TO ROUTER.

So lines have nothing to do with enable password !! why ? because you will be asked for enable password when you type in

-enable- and where do you type this ?
on router cli
which means you have successfully login to router right ?
YES !!
so once you are logged in to router, function of lines is quite over ;-). Thats why for enable password you dont need lines
which mean no method lists ;-)

Q) Ohh i see
A)

R1(config)#aaa authentication enable default ?
enable Use enable password for authentication.
group Use Server-group
line Use line password for authentication.
none NO authentication.

R1(config)#aaa authentication enable default

-enable- option means used local enable password configured as
1) enable password cisco
2) enable secret cisco

-group- same as for login authentication. This will ask you for tacacs/radius and then again ask for FALL-on method.
-line- you can use line password for getting to level 15. Again this is just a feature provided. But this one is tricky
which line password will you use when you have 3 types of lines available,
1) Console
2) AUx
3) Vty

Any idea ?

Q) Not at all
A) I am not surprised.

Q) What do you mean ?
A) Nothing at all.

If this is my configuration for example

R1(config)#aaa authentication enable default line

Then router will consider THAT LINE'S PASSWORD THROUGH WHICH THE USER LOGGED IN ;-) CONFUSING ?

See the following configuration which we have done so far

R1# sh running-config
!
!
aaa new-model
aaa authentication login for-console line
aaa authentication login for-vty group tacacs+ local
aaa authentication enable default line

enable password ciscoenable
username cisco password cisco

line con 0
password passconsole
login authentication for-console

line vty 0 4
password passvty
login authentication for-vty

Now from R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: cisco
Password: (cisco)

R1>en
Password:(passconsole)
% Access denied

R1>en
Password:(ciscoenable)
% Access denied

R1>en
Password:(passvty)
R1# sh privi
Current privilege level is 15
R1#

Now if you would have come via console, then for enable you would have to give line console password to move to level 15.

Practice it and it will make more sense. In case of any confusion just let me know.

Authorization:

Ok lets start with authorization via local AAA.

Q) ATLAST !!!!
A) Ok now. Local AAA authorization can prove to be a very complicated maze. If you are lost, it becomes really difficult to
find your way out. Atleast that what happened to me. So i will highly recommend follow my approach to get solid understanding of what actually happens with authorization.

I will divide this part in further 2 categories. One when we are NOT using local database(username/password), and second when we are using local database

1- Local AAA authorization without Local database.

There are 3 types of authorization (again the context is when user is accessing router for login purpose)

Exec- This relates to whether user (like Mr.A) is ALLOWED to get a shell(cli) prompt or not !!!
Commands- This relates to whether user is allowed to run commands of the level given in the syntax of this command. ( didnt
get a word of what i mean ? dont panic, everything will be crystal clear when we get to this command)
config-command- I will skip the definition for now. We will discuss it later in this part.

Now lets just see the syntax

R1(config)#aaa authorization exec ?
WORD Named authorization list.
default The default authorization list.
R1(config)#aaa authorization exec

Its the same method list as we discussed in authentication part. Default is applied to all lines by default. If you want to
define a particular method list for lets say VTY lines, just give the name you like and then apply it under line vty. Much
like the same as we did in authentication. Nothing different here.

R2(config)#aaa authorization exec default ?
group Use server-group.
if-authenticated Succeed if user has authenticated.
krb5-instance Use Kerberos instance privilege maps.
local Use local database.
none No authorization (always succeeds).

R2(config)#aaa authorization exec default

Over here

-group- again means referring to Radius/Tacacs+ server to perform authorization
-if-authenticated- This means if the user is authenticated, just grant him the exec session.
-local- Check local database(username/password) for authorzation.

Now over here, if-authenticated is a bit interesting option, not always clear what it actually does. So we will explore it.

Now in my scenario these are the following config

R1#sh running-config

!
aaa new-model
aaa authentication login default line
aaa authorization exec default local

line vty 0 4
password cisco

!

Over here i am telling IOS to perform authorization for exec as to whether the coming user should get cli prompt or not !!
based on local database which is not present ;-). Lets see what happens !

R2#10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:
% Authorization failed.

[Connection to 10.0.0.1 closed by foreign host]
R2#

OOPs what i did wrong ?

Q) You entered the wrong password, i got you, i got you !!!
A) Nope, look at the error i have received.
% Authorization failed.

This means i passed authentication, but IOS didnt authorized me to open a cli prompt !!!. Lets get a bit deeper this time and
run debug command to see actually what happened. Lets do it again.

R1# debug aaa authorization

From R2

R2#10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:
% Authorization failed.

[Connection to 10.0.0.1 closed by foreign host]
R2#

On R1 !
R1#
*Mar 1 00:07:36.087: AAA/BIND(00000004): Bind i/f
R1#
*Mar 1 00:07:38.115: AAA/AUTHOR (0x4): Pick method list 'default' - FAIL
*Mar 1 00:07:38.127: AAA/AUTHOR/EXEC(00000004): Authorization FAILED
R1#

Now the debug message is not clear to be honest. It says that it picked method-list named default, but it failed. Actually it
didnt failed, it was KINDA ERROR. Now this may sound confusing but in authentication absence of username meant a FAIL not an ERROR, in authorization absence of username is considered an ERROR.

Q) I am confused. What if i give username/password then ?
A) Nice catch. Lets give it and see what happens

The configuration on R1 will remain same and i will add the following config to it

R1(config)#username Mr.A privilege 4 password cisco

now from R2

R2#10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:
% Authorization failed.

[Connection to 10.0.0.1 closed by foreign host]
R2#

See, nothing different happened even after the addition of username. Why ! because we are not using local database to perform authentication, Mr.A didnt use Mr.a username to authenticate to router thats why authorization cant be performed based on local database. To further clarify this point suppose i have 5 username/password in my database. Which one will be used for authorization when authentication was done on line password ??? Can you see the confusion, since no username is associated with authentication or in other words router DOESNT know which user from local database has logged in to router, it cant perform authorization based on username basis !! since it doesnt know which username to associate the coming user with
because user is not supplying username at the time of authentication so every user who enters the router using line password
are treated equal !!!. Thats why local authorization will return ERROR !!!!!.

Q) Ohh, its a bit clear now. So what shall we do when we dont have local database, i can see creating local database is of no
use here since user is not supplying username at the time of login !

A) Well, in case we dont have local database to help in authorization and as we know that we have got an ERROR (though not
displayed in debug) IOS will fall to next method in "default" list which is nothing in our case, thats why IOS didnt had any
last resort left. To avoid this situation lets configure 2 possibilities

R1(config)#aaa authorization exec default local none

With -none- option it means that no authorization is needed JUST AUTHORIZE THE USER FOR HEAVEN'S SAKE !!. This is enough to scare anyone as well IOS thats why IOS will authorize the user ;-). Lets see

On R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:

R1>

On R1

R1#deb aaa authorization
AAA Authorization debugging is on
R1#
*Mar 1 00:05:49.631: AAA/BIND(00000004): Bind i/f
R1#
*Mar 1 00:05:51.311: AAA/AUTHOR (0x4): Pick method list 'default' - PASS
*Mar 1 00:05:51.319: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
*Mar 1 00:05:51.323: AAA/AUTHOR/EXEC(00000004): Authorization successful
R1#

As you can see this time authorization is successful. Now depending on different views, -none- may not be a very preferred
option. Since it forces the router to authorize the user if other methods failed. In a case like this, it doesnt matter much,
its much like equal to not enabling authorization !!!.

Another option is -if-authenticated-. This option is ALOT CONFUSING. Here is a proof of concept.

Before reading any further, just try to figure out the practical difference between -none- and -if-authenticated- option and
i am quite sure you will not be able to find it. It took me quite some time to figure out the difference. Lets see

R1(config)# aaa authorization exec default local if-authenticated

now from R2

R2#telnet
*Mar 1 00:57:13.591: %SYS-5-CONFIG_I: Configured from console by console
R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Password:

R1>

Ok now, i wont be discussing the difference now. Just a few points and then we will explore it.
We observed authorization without local database. Lets now use local database.

R1(config)#username Mr.A privilege 4 password cisco
Now looking at my previous config i have authentication using line passwords only, therefore authorization cant happen on
local database. See the relation between authentication and authorization ? KEEP THIS FACT IN MIND, IT WILL HELP YOU AVOID CONFUSIONS IN FUTURE. AUTHORIZATION IS TIGHTLY BINDED WITH AUTHENTICATION. AS YOU CAN SEE ABOVE.
So now since we want authorization to be based on username, we must also enable authentication via local database also,
because if we dont and user logged in without supplying username, then router will not have any idea to use which username
for authorization and hence will produce error and fall on to next method during authorization.

R1(config)#aaa authentication login default local line

now lets see

from R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open


User Access Verification

Username: mr.a
Password:

R1#sh privilege
Current privilege level is 4
R1#

now lets understand the authorization command again

aaa authorization exec default local

this command is telling IOS

When user logs in (i.e. authenticated) allow him cli prompt based on the information of the username user supplied.
User supplied Mr.A so the cli prompt he got (or authorized to get) was privilege level 4.(configured in that command, look
above)
Hence authorization is successful.

Ok lets see how if-authenticated is different from -none-. Now read carefully with your mind clear

-if-authenticated- means if user was AUTHENTICATED IN THE PREVIOUS AUTHENTICATION STEP, THEN THROW HIM THE PRIVILEGE LEVEL ASSIGNED UNDER LINE VTY 0 4(BY DEFAULT ITS LEVEL 1)

Q) I dont get it. Authorization always happens after authentication, you said that yourself !, so what is the sense of -if-authenticated- if this line is going to be checked after authentication is successfull !! i really dont get it.
A) This is because you are forgetting one minor detail. We can skip AAA authentication ;-)

Q) What ? How ? Why ?
A) See the following command

R1(config)# aaa authentication login default none

What does this command achieves ? instead of defining any method (like local, line) i simply wrote none, which means no authentication ;-). Lets configure the above statement and delete all previous authorization statements for now and see what happens

From R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open

R1>

See, nothing was asked. nor username nor password. Authentication didnt happen. So far so good. Lets configure authorization now using -none- first

R1(config)# aaa authorization exec default none

From R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open

R1>

See, nothing happened, since -none- means no authorization is performed. By default you can assume this command is run by default thats why when we dont configure authorization we are always authorized to run all commands of the level we got.

Now lets use -if-authenticated-

R1(config)# aaa authorization exec default if-authenticated

From R2

R2#telnet 10.0.0.1
Trying 10.0.0.1 ... Open
% Authorization failed.

[Connection to 10.0.0.1 closed by foreign host]
R2#

See, since user was not AUTHENTICATED in authentication step, AUTHORIZATION will also fail if method list FALLS ON to -if-authenticated- option. So keep in mind this important fact. Also note that if you supply -if-authenticated- option, there are no further options you can select for fall-on. This is always the terminating method.

I hope by now the difference is quite clear !

Q) Yeah ....... Sorry what did you said ?
A) I think you need a break

Q) SO KIND OF YOU, CAN YOU HELP ME WALKOUT THE ROOM, I FEEL I WONT BE ABLE TO WALK !
A) Why ?

Q) BECAUSE OF THE HEADACHE !!!!!
A) Yeah...... Right !

Authorization is not completed yet. We will meet in next part. That part wont take long. Max by saturday i will post it. Thanks for your patience once more. Do provide your feedback.

Edited by pappyaar, 22 July 2009 - 06:40 PM.

  • 1

#8 casperv

casperv

    Newbie

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:South Africa
  • Interests:Golf fanatic, also love playing. F1 fanatic...Go Ferrari !!!!!

Posted 23 July 2009 - 04:19 AM

QUOTE (pappyaar @ Jun 8 2009, 07:17 AM) <{POST_SNAPBACK}>
Dear Thead, thanks for nice comments :-). I will try my level best that future tutorials are more entertaining and worth reading.

Now regarding your question, i am assuming that you have atleast configured both of them once.

Both of them are used to provide restricted access to users. Having said this, the restriction process is somewhat cumbersome in case of privilege levels. Every privilege level consists a default set of commands. Now lets say you want to give a user very restricted access so that he can do only the following commands

1) show ip int brief
2) show interfaces
3) show version
4) sh ip route

Now before views were there, i could simply do this in 2 ways
1) assign user to level 0 and with privilege commands assign above 4 commands to user. This is perhaps the best way.
2) Assign user to some other level, use a long list of privilege commands to remove all other commands then add the above 4 commands.

Now remember, without AAA server, this had to be done and was done in past. Views have some advantage over privilege becoz each view starts empty !!. There are usually 2 or 3 default commands like enable , exit, show. Now you can fill this view by adding commands to this view through view config mode.
This gives rather more control to administrator in assigning rights (which commands to execute) to users.

Which shall you use if it comes to restrict users access ?
Views are bit advance in the sense that they give you easy configuration as to which command you want to add and which to exclude. But to be honest i didnt find the difference to be very appealing. I mean i can almost achieve the same level without using views as well.

Keep in mind all the above discussion was for cli based views and not lawful intercept views.



pappyaar

I'm a bit confused, as far as I know that if you use a command in a privilege level, say level 4, that command will not be available to be used in another privilege level. But if you create a view, the same command can be used in multiple views and then you can combine different views into super views (Obviously not necessary). What I'm getting at is that you explained that you can use a specific command in multiple privilege levels...this s a bit confusing for me, can you explain??

  • 2

#9 pappyaar

pappyaar

    Cisco Routing/EEM/TCL

  • Technical Experts
  • PipPipPipPip
  • 959 posts
  • Gender:Male

Posted 23 July 2009 - 01:04 PM

QUOTE (casperv @ Jul 23 2009, 05:19 AM) <{POST_SNAPBACK}>
pappyaar

I'm a bit confused, as far as I know that if you use a command in a privilege level, say level 4, that command will not be available to be used in another privilege level. But if you create a view, the same command can be used in multiple views and then you can combine different views into super views (Obviously not necessary). What I'm getting at is that you explained that you can use a specific command in multiple privilege levels...this s a bit confusing for me, can you explain??


Dear Casperv, dont be confused. See, there is a rule regarding commands in the privilege levels.

If a command's DEFAULT level is x then that command will automatically be present in all levels above x as well. Now let me give you an example of a command lets say ping.

If you are in level 0, this command is not present. Lets see

On R1

R1#disable 0
R1>?
Exec commands:
call Voice call
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

R1>

You can "ping" command is not here. Now there are two ways to find the default level of any given command. The most feasible one is the following command

R1# show parser dump exec | in ping

Output omitted ---
1 ping vrf <string> ipx
1 ping vrf <string> srb
1 ping vrf <string>
1 ping

So the default level of "ping" command is 1. Now lets log on to level 1

R1#disable 1
R1>sh privi
Current privilege level is 1
R1>?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
call Voice call
clear Reset functions
connect Open a terminal connection
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a
router
mstat Show statistics after multiple multicast tracer
mtrace Trace reverse multicast path from destination t
name-connection Name an existing network connection
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
release Release a resource
renew Renew a resource
resume Resume an active network connection
rlogin Open an rlogin connection
set Set system parameter (not config)

Do a "?" here and you can see ping here. Now as per definition i gave above, "ping" command will be available from Level 1(default level of ping) to above levels upto 15. Now lets say i want ping only to be available to level 15. What i will do ? i will simply change the default level of ping from its default level !!

See

R1(config)#privilege exec level 15 ping
R1(config)#end
R1#
R1#disable 1
R1>ping
Translating "ping"

Translating "ping"

% Unknown command or computer name, or unable to find computer address
R1>sh privi
Current privilege level is 1
R1>

See, Now again. If i change the privilege level of a command, IT WILL BE AVAILABLE on THAT LEVEL and HIGHER LEVELS but NOT BELOW LEVELS. Since here i changed the level of ping from its default of 1 to 15, you will not find ping command on any level below 15 now !!

I hope this clears. If i am not wrong, you just focus on my post with thead. I highly recommend going through my tutorial to further clear all your confusions. This doesnt mean dont ask anything, ask as much as you like, i will try my level best to answer them :-)

Note: The command show parser dump exec is not affected at all by the privilege command. So you will always see IOS defined default level of commands. If you modify the privilege level of any command, it will not be reflected in show parser.

Edited by pappyaar, 23 July 2009 - 01:06 PM.

  • 1

#10 casperv

casperv

    Newbie

  • Members
  • Pip
  • 21 posts
  • Gender:Male
  • Location:South Africa
  • Interests:Golf fanatic, also love playing. F1 fanatic...Go Ferrari !!!!!

Posted 23 July 2009 - 04:33 PM

QUOTE (pappyaar @ Jul 23 2009, 05:04 AM) <{POST_SNAPBACK}>
Dear Casperv, dont be confused. See, there is a rule regarding commands in the privilege levels.

If a command's DEFAULT level is x then that command will automatically be present in all levels above x as well. Now let me give you an example of a command lets say ping.

If you are in level 0, this command is not present. Lets see

On R1

R1#disable 0
R1>?
Exec commands:
call Voice call
disable Turn off privileged commands
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
logout Exit from the EXEC

R1>

You can "ping" command is not here. Now there are two ways to find the default level of any given command. The most feasible one is the following command

R1# show parser dump exec | in ping

Output omitted ---
1 ping vrf <string> ipx
1 ping vrf <string> srb
1 ping vrf <string>
1 ping

So the default level of "ping" command is 1. Now lets log on to level 1

R1#disable 1
R1>sh privi
Current privilege level is 1
R1>?
Exec commands:
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
call Voice call
clear Reset functions
connect Open a terminal connection
crypto Encryption related commands.
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lat Open a lat connection
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a
router
mstat Show statistics after multiple multicast tracer
mtrace Trace reverse multicast path from destination t
name-connection Name an existing network connection
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
release Release a resource
renew Renew a resource
resume Resume an active network connection
rlogin Open an rlogin connection
set Set system parameter (not config)

Do a "?" here and you can see ping here. Now as per definition i gave above, "ping" command will be available from Level 1(default level of ping) to above levels upto 15. Now lets say i want ping only to be available to level 15. What i will do ? i will simply change the default level of ping from its default level !!

See

R1(config)#privilege exec level 15 ping
R1(config)#end
R1#
R1#disable 1
R1>ping
Translating "ping"

Translating "ping"

% Unknown command or computer name, or unable to find computer address
R1>sh privi
Current privilege level is 1
R1>

See, Now again. If i change the privilege level of a command, IT WILL BE AVAILABLE on THAT LEVEL and HIGHER LEVELS but NOT BELOW LEVELS. Since here i changed the level of ping from its default of 1 to 15, you will not find ping command on any level below 15 now !!

I hope this clears. If i am not wrong, you just focus on my post with thead. I highly recommend going through my tutorial to further clear all your confusions. This doesnt mean dont ask anything, ask as much as you like, i will try my level best to answer them :-)

Note: The command show parser dump exec is not affected at all by the privilege command. So you will always see IOS defined default level of commands. If you modify the privilege level of any command, it will not be reflected in show parser.



Thank You pappyaar

What you explained makes sense.
  • 1

#11 DarkFiber

DarkFiber

    Cisco Expert

  • Members
  • PipPipPipPip
  • 927 posts
  • Gender:Male
  • Location:Cairo-Egypt
  • Interests:Networks

Posted 28 July 2009 - 09:53 AM

Dear Pappyaar

Thanks for the great Topic & explanation.
you got great tips here....i hit some of them in CCIE R&S Labs... ;) & ofcorse its widely deployed in real life.
your level of explanation is really great Thanks Allot.... :)

Guys trust me, this type of commands are deployed on every router in real life. :)

Edited by DarkFiber, 28 July 2009 - 09:56 AM.

  • 0

#12 laf_c

laf_c

    Firewalls&Routing specialist

  • Members
  • PipPipPipPipPip
  • 1787 posts
  • Gender:Male
  • Location:Romania
  • Interests:Networking, tenis and chess

Posted 30 July 2009 - 12:51 AM

Great post !!

I especially used it aaa authorization exec default local ! Very helpful !

Maybe you will continue later with other authorization branches as "network" and the the last "A" - accounting. First of all, is there any accounting solution except Cisco's ACS ?
  • 0

#13 alienson

alienson

    Member

  • Members
  • PipPip
  • 57 posts
  • Gender:Male
  • Location:EGYPT

Posted 09 September 2009 - 11:41 PM

Thanks pappyaar fot this gr8 gr8 topic :D


but i have 1 question about privilege

if i assigned mr.a to level 4 for example and mr.b to level 6 and created username and passwords for both of them with there level assigned
what will stop anyone of them from just using #enable 15 ??

i tried assigning password to level 15 but it's not working, the only thing that does work is to assign a user to the level this way any other user not assigned to that level if used #enable 15 then it will show % Error in authentication.

is there any other way other than assigning users to level 15 ?

there is no problem with the other levels it also shows % Error in authentication.
the only level i have problem with is level 15, i need to use password with it with out username :D, it doesn't make any sense to not assigning my own username to that level to control everything but i just want to see if there is other ways :D

Edited by alienson, 09 September 2009 - 11:47 PM.

  • 0

#14 DarkFiber

DarkFiber

    Cisco Expert

  • Members
  • PipPipPipPip
  • 927 posts
  • Gender:Male
  • Location:Cairo-Egypt
  • Interests:Networks

Posted 09 October 2009 - 11:40 PM

GREAT POST

SUPERB
  • 0

#15 Yorel

Yorel

    PIX/ASA/FWSM

  • Technical Experts
  • PipPipPipPip
  • 537 posts
  • Gender:Male
  • Location:Madrid

Posted 10 October 2009 - 02:56 AM

:o :o Many many thanks for these great posts!!!!!
  • 0

#16 pappyaar

pappyaar

    Cisco Routing/EEM/TCL

  • Technical Experts
  • PipPipPipPip
  • 959 posts
  • Gender:Male

Posted 10 October 2009 - 01:28 PM

Thanks alot dear friends for appreciating it. I will be back to AAA track in a while to add more content, wish me luck :-).

For alienson, sorry for the delayed response but can you kindly elaborate your question a little more since i am not getting which part of configuration is failing at your end. Also do mention your platform i.e. PT/dynamips(GNS3)/Real routers.

Let me know..
  • 0

#17 bilgisayar

bilgisayar

    Best Poster in January 2007

  • Members
  • PipPipPipPipPip
  • 1843 posts

Posted 03 December 2009 - 06:15 AM

This is really a nice work.
  • 0

#18 tomislav.t

tomislav.t

    Newbie

  • Members
  • Pip
  • 1 posts
  • Gender:Male
  • Location:croatia

Posted 19 February 2010 - 07:35 PM

realy great post!!!
  • 0

#19 shyna

shyna

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 10 March 2010 - 04:32 PM

GRT POST .THANKS :)
  • 0

#20 helium_00

helium_00

    Newbie

  • Members
  • Pip
  • 18 posts

Posted 01 April 2010 - 04:42 PM

Hi,


I have no word how to say you thanks! All of my doubts has been cleared.
Please come on and complete the topic. We are waiting for rest of the topic.
Your writing style really excellent.

A million $ thanks..
  • 0

#21 pappyaar

pappyaar

    Cisco Routing/EEM/TCL

  • Technical Experts
  • PipPipPipPip
  • 959 posts
  • Gender:Male

Posted 01 April 2010 - 05:33 PM

Hi,


I have no word how to say you thanks! All of my doubts has been cleared.
Please come on and complete the topic. We are waiting for rest of the topic.
Your writing style really excellent.

A million $ thanks..


Dear Helium, thanks alot for the kind words. I will surely complete this topic but it may take sometime since currently i am caught up in different projects. My apologies to everyone as i couldnt complete it but i sure will.

Thanks again for appreciating it :-)
  • 0

#22 helium_00

helium_00

    Newbie

  • Members
  • Pip
  • 18 posts

Posted 09 August 2010 - 03:57 PM

Hello,


I am facing a problem in configuring TACACS+ in our router. I can connect all of my routers with my TACACS username and password without any problem but when leased line remains down, we can not connect the routers with local username and password. TACACS+ configuration is as follows:

aaa new-model
!
!
aaa authentication login default group tacacs+ local
aaa authentication login NO_AUTHEN none
aaa authentication ppp default group default-group local
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization exec NO_AUTHOR none
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default stop-only group tacacs+

username (user) privilege 2 password 7 634gsd76234t

privilege exec level 2 show startup-config
privilege exec level 2 show
privilege exec level 2 ping
privilege exec level 2 trace
privilege exec level 2 clear counters
!
line con 0
password 7 2364523bngsdyf632
authorization commands 1 NO_AUTHOR
authorization commands 15 NO_AUTHOR
authorization exec NO_AUTHOR
login authentication NO_AUTHEN
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 75 in
password 7 73456nzxcncxvh643mvn8
transport input telnet ssh


I think something is missing in my configuration but I am not able to trace it. Please somebody help.



Thanks...
  • 0

#23 MuhammadZ

MuhammadZ

    Newbie

  • Members
  • Pip
  • 17 posts

Posted 06 October 2010 - 04:03 AM

Paapyaar.

Thanks for great info? do you this in document format? is this article closed \ completed?


Thanks.
  • 0

#24 ciscobox

ciscobox

    Newbie

  • Members
  • Pip
  • 4 posts

Posted 19 October 2010 - 03:52 AM

Good read!!

Thanks!!
  • 0

#25 Midhun Kumar

Midhun Kumar

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 28 January 2011 - 07:36 PM

Paapyaar.
.......... nice job..thank you buddy
  • 0

#26 netdogo

netdogo

    Newbie

  • Members
  • Pip
  • 8 posts
  • Gender:Male
  • Location:Midwest

Posted 17 January 2012 - 05:57 AM

This is a great tutorial. It really helped me with setting the allowed commands per level in a way I did not understand before. Nice work.
  • 0

#27 rocky5

rocky5

    Newbie

  • Members
  • Pip
  • 45 posts
  • Gender:Male
  • Location:Guwahati, India

Posted 23 January 2012 - 09:50 PM

good ya
  • 0

#28 sriikanthreddy

sriikanthreddy

    Member

  • Members
  • PipPip
  • 90 posts

Posted 28 January 2012 - 06:47 PM

Thank you very much pappayaar.

Great explanation. Continue the topic.

I am using 3750. I didnt find one-time password there for privileges. What might be the reason?
  • 0

#29 linda86

linda86

    Newbie

  • Members
  • Pip
  • 13 posts
  • Gender:Female
  • Location:Hong Kong
  • Interests:Reading books, listening to music, making friends, and travel and all the interesting things...

Posted 14 August 2012 - 04:42 PM

Thank Technical Experts very much for sharing so many practcial details step by step... It's really a hard work to make clear something on Cisco... But you make this thing easier a lot! Amazing!
  • 0





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users